PevPot.com is a project that I've been working on for a few weeks now, and believe it to be the first of its kind. It's a provably fair lottery where players actually get more out than they put in. Or said more technically it's the holy grail of gambling: +EV

The way that it works is pretty simple, each draw is sponsored by a number of advertisers, who make this possible. 90% of the money the sponsors pay goes directly into the prize pot (we keep 10%). 100% of the tickets players buy go into the prize pot. For every satoshi you send, you get 1 ticket. And every 1000 bitcoin blocks (when it ends in 000) we draw a winner (in a provably fair way, of course).

Do you vouch for this guy to continue to run the business ? Could you tell us who the new owner is? I would not like someone unknown to steal my deposits when im playing this game becaue this is not like dustdice where you have insurance that your money is safe with moneypot

To be honest, I don't know the guy. I had already released the code, and someone approached me for what basically amounts to the domain. I was originally going to keep the domain, just to avoid confusion. But it's hard to say no to free hundreds of dollars, so sold it is (I've already been paid).

Is that someone dooglus? I saw in the previous page that he was interested in taking over. It would be a great news if so, as the biggest difficulty of running and promoting the site is that the owner has to be widely recognized as trustworthy.

No, it's not. But he (and everyone else) has access to the code, so who knows what will happen

P.S. @ryan Do you currently have any projects you're working on? Your ideas are quite creative and unique, but it seems like you have a habit of selling them (except for the case of BaB)

lol thanks =) But what can I say, I've got a short attention span. I think pevpot was my 5th bitcoin project, but my last bitcoin project for a while. I have some ideas for bitcoin projects I'd like to do, but feeling a bit burnout and disillusioned with the general bitcoin community at the moment Right now I'm taking a break with running bustabit and working on something totally unrelated to bitcoin or gambling

If I am not wrong last game is winning by people who deposit 0.1 and someone deposit 0.99 losing. It is possible that low deposit people will have this luck and high deposit people sometimes will lose too because it can really assure your winning though only boost your winning chance but still you can lose it sometimes

This can always happen. This is almost exactly the same as CSGOjackpot, sweetstakes.tf, and all the other variants. I'm a regular player on these sites, and ive seen firsthand people winning thousand dollar items with their twelve cent item

It reads "Draw #11 will be the last draw. Please do not deposit money after the draw ends, or sponsor further draws. =) See: bitcointalk for more details."

and Draw #12 is running

Someone purchased the site from ryan and will continue the site as if nothing changes but ryan doesnt know who the new owner is either. Well if you are comfortable with it just keep on playing on the site though every risk is on your own. Kinda weird the new owner doesnt even make a new pevpot thread

Question: What if you use 2 or 3 consecutive blocks as the basis for the winning hash?

Advantage: No need to do 1 million bcrypt or pbkdf calculations quick to verify; unlikely for a single miner to mine 2 blocks in a row. You only wait an average of 20 minutes to find out if your block could have lost, but then it's too late for the miner.Disadvantage: Waiting time. You pick 2 blocks AFTER the end of the round, and you also probably wait 6 blocks after that, for a total of 8 blocks. (The 6 confirms is needed so the 2 blocks are probably not orphaned and part of the blockchain.)

You could also keep a server seed secret, and it could be generated like moneypot's canonical hash chain or that 64 hash thing in another thread.

I believe we have the recipe for another raffle or lottery style game (and it's all here in this post), I just don't have the budget to do it (not unless someone buys my site.)

Question: What if you use 2 or 3 consecutive blocks as the basis for the winning hash?

If you use block N and N+1 to generate the result, that has the exact security equivalence of just using block N+1. iirc I think I brought this up with you before about your site, which combines 64 bitcoin block hashes; it's functionally equivalent to using a single bitcoin block hash, except now you're just dragging around a lot of complexity for nothing.

One of the key goals of provably fair, is to make it as simple as possible to verify.

but the difference is the function takes an hour to run! This means they can't broadcast the just mined block for an hour. And when you have the new unbroadcasted blockchain tip, time is money. Because loosing the block-race (which you probably will) will cost you a fair bit (and during the time the block is stretching, you'll have to mine on the probably-orphaned chain, adding to the cost of failure)

Ok. Makes more sense. I was trying to get around the computation part for more than 30 minutes. That's "hard". Not a problem for a once a week game, or even a daily game, but it does mean you have to set aside processing this. This is slow to compute AND slow to verify (please correct me if I'm wrong.)

My 64 blocks was just a theme thing; I don't even have to do it more than once, but I guess people can just look back a couple of days ago to verify. It's understandably more complicated, but I'm not sure that has any impact on the game itself. (People regularly play on non-provably fair casinos.)

The hash chain as a service is an idea, but it relies on the service being available. I had a lotto 3 years ago (which didn't even have its own website, not really anyway), it used secrets from other sites, and at least the little-bit-at-a-time has a secret revealed every hour, and random.org is a completely unrelated site with no connection to crypto. A poor man's version is a secret from another popular site that can be revealed on demand.

I'd like to avoid that. The problem was I was using SatoshiDice secrets, and they were always delayed by an hour or two. The others were published on time a minute after midnight UTC.

The only other way is a server secret, such as the hash chain, combined with a block hash. But that leaves the remote possibility of the owner colluding with a miner, or the owner is a large miner. I argue if the issue is trust, people would not deposit coins, but as has been pointed out, this remote possibility is, well, possible.

I'd also like to avoid external secrets, meaning "real life" secrets. These include actual lottery results from maybe Mega Millions or Powerball. (Although that certainly makes it provably fair, as no way would anyone know the Powerball results before the draw, unless all the balls were rigged.)

I am pretty bad at explaining things, but I'll try before Dooglus replies and makes me look like a babbling toddler.

That is funny. I read your previous post, and was just about to reply to clarify *why* using N and N+1 is equivalent to only using N+1 but I thought I should read to the end of the thread in case anyone else had already done so. Then I saw this, and it made me laugh out loud.

Ok. Makes more sense. I was trying to get around the computation part for more than 30 minutes. That's "hard". Not a problem for a once a week game, or even a daily game, but it does mean you have to set aside processing this. This is slow to compute AND slow to verify (please correct me if I'm wrong.)

You're not wrong, but you are kind of missing the point. It is slow *on purpose* so that the miner can't tell whether the block he just mined makes him win or lose, and so he can't cheat by withholding a block that makes him lose. By the time he figures out that his block makes him win it has already been orphaned, so he may as well just publish the block immediately and not try cheating the lottery.

It would be better if it was slow to figure out who won but very quick to verify the result, but nobody was able to come up with a way to do that, and so pevpot uses a calculation that is just as slow to verify as it is to run the first time.

The ideal algorithm would be:

a) slow to determine who won given a list of tickets and the mined block hashb) quick to verify the winner given a list of tickets, the mined block hash, and the winnerc) deterministic, so that step a) always gives the same winner for the same inputs

It's not hard to find systems which give us any two of these three:

A+C: The current system has (a) and (c), but there's no quick verification step.

B+C: Just using the block hash gives us (b) and (c) - it's instant to verify, and deterministic, but step (a) is also instant and so the miner can cheat.

A+B: We can get (a) and (b) using some kind of proof-of-work algorithm. We search for a nonce such that sha256(blockhash+nonce) starts with 10 zeroes (or whatever difficulty is suitable), then use that new hash to determine the winner. It's slow to find such a nonce, and quick to verify that the nonce works, but it isn't deterministic. Lots of different nonces would work, and give different winners. We could insist that the nonce search starts at zero and works upwards, such that only the lowest such nonce is accepted, but then verification is no longer instant, since we have to replicate the whole proof of work to check that the given nonce is the lowest one that works.

Can you find a method that gives all three of (a), (b), and (c)? It shouldn't rely on any "server secret", since we have no way of knowing for sure that the server owner isn't also playing the game.

I'd also like to avoid external secrets, meaning "real life" secrets. These include actual lottery results from maybe Mega Millions or Powerball. (Although that certainly makes it provably fair, as no way would anyone know the Powerball results before the draw, unless all the balls were rigged.)

Re-read what you just said: that's provably fair unless it isn't... Using powerball numbers isn't provably fair - it is relying on the trust that whatever process they use to select balls isn't rigged. There's no proof that it isn't, and so the game is "trustably" fair, not provably fair.